/*
 * Tencent is pleased to support the open source community by making TBase available.  
 * 
 * Copyright (C) 2019 Tencent.  All rights reserved.
 * 
 * TBase is licensed under the BSD 3-Clause License, except for the third-party component listed below. 
 * 
 * A copy of the BSD 3-Clause License is included in this file.
 * 
 * Other dependencies and licenses:
 * 
 * Open Source Software Licensed Under the PostgreSQL License: 
 * --------------------------------------------------------------------
 * 1. Postgres-XL XL9_5_STABLE
 * Portions Copyright (c) 2015-2016, 2ndQuadrant Ltd
 * Portions Copyright (c) 2012-2015, TransLattice, Inc.
 * Portions Copyright (c) 2010-2017, Postgres-XC Development Group
 * Portions Copyright (c) 1996-2015, The PostgreSQL Global Development Group
 * Portions Copyright (c) 1994, The Regents of the University of California
 * 
 * Terms of the PostgreSQL License: 
 * --------------------------------------------------------------------
 * Permission to use, copy, modify, and distribute this software and its
 * documentation for any purpose, without fee, and without a written agreement
 * is hereby granted, provided that the above copyright notice and this
 * paragraph and the following two paragraphs appear in all copies.
 * 
 * IN NO EVENT SHALL THE UNIVERSITY OF CALIFORNIA BE LIABLE TO ANY PARTY FOR
 * DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING
 * LOST PROFITS, ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS
 * DOCUMENTATION, EVEN IF THE UNIVERSITY OF CALIFORNIA HAS BEEN ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 * 
 * THE UNIVERSITY OF CALIFORNIA SPECIFICALLY DISCLAIMS ANY WARRANTIES,
 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
 * AND FITNESS FOR A PARTICULAR PURPOSE.  THE SOFTWARE PROVIDED HEREUNDER IS
 * ON AN "AS IS" BASIS, AND THE UNIVERSITY OF CALIFORNIA HAS NO OBLIGATIONS TO
 * PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
 * 
 * 
 * Terms of the BSD 3-Clause License:
 * --------------------------------------------------------------------
 * Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
 * 
 * 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
 * 
 * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation 
 * and/or other materials provided with the distribution.
 * 
 * 3. Neither the name of Tencent nor the names of its contributors may be used to endorse or promote products derived from this software without 
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, 
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS 
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 
 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH 
 * DAMAGE.
 * 
 */
/*
 * pgp-mpi-openssl.c
 *      OpenPGP MPI functions using OpenSSL BIGNUM code.
 *
 * Copyright (c) 2005 Marko Kreen
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *      notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *      notice, this list of conditions and the following disclaimer in the
 *      documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * contrib/pgcrypto/pgp-mpi-openssl.c
 */
#include "postgres.h"

#include <openssl/bn.h>

#include "contrib/pgcrypto/px.h"
#include "contrib/pgcrypto/pgp.h"

static BIGNUM *
mpi_to_bn(PGP_MPI *n)
{
    BIGNUM       *bn = BN_bin2bn(n->data, n->bytes, NULL);

    if (!bn)
        return NULL;
    if (BN_num_bits(bn) != n->bits)
    {
        px_debug("mpi_to_bn: bignum conversion failed: mpi=%d, bn=%d",
                 n->bits, BN_num_bits(bn));
        BN_clear_free(bn);
        return NULL;
    }
    return bn;
}

static PGP_MPI *
bn_to_mpi(BIGNUM *bn)
{
    int            res;
    PGP_MPI    *n;

    res = pgp_mpi_alloc(BN_num_bits(bn), &n);
    if (res < 0)
        return NULL;

    if (BN_num_bytes(bn) != n->bytes)
    {
        px_debug("bn_to_mpi: bignum conversion failed: bn=%d, mpi=%d",
                 BN_num_bytes(bn), n->bytes);
        pgp_mpi_free(n);
        return NULL;
    }
    BN_bn2bin(bn, n->data);
    return n;
}

/*
 * Decide the number of bits in the random component k
 *
 * It should be in the same range as p for signing (which
 * is deprecated), but can be much smaller for encrypting.
 *
 * Until I research it further, I just mimic gpg behaviour.
 * It has a special mapping table, for values <= 5120,
 * above that it uses 'arbitrary high number'.  Following
 * algorithm hovers 10-70 bits above gpg values.  And for
 * larger p, it uses gpg's algorithm.
 *
 * The point is - if k gets large, encryption will be
 * really slow.  It does not matter for decryption.
 */
static int
decide_k_bits(int p_bits)
{
    if (p_bits <= 5120)
        return p_bits / 10 + 160;
    else
        return (p_bits / 8 + 200) * 3 / 2;
}

int
pgp_elgamal_encrypt(PGP_PubKey *pk, PGP_MPI *_m,
                    PGP_MPI **c1_p, PGP_MPI **c2_p)
{
    int            res = PXE_PGP_MATH_FAILED;
    int            k_bits;
    BIGNUM       *m = mpi_to_bn(_m);
    BIGNUM       *p = mpi_to_bn(pk->pub.elg.p);
    BIGNUM       *g = mpi_to_bn(pk->pub.elg.g);
    BIGNUM       *y = mpi_to_bn(pk->pub.elg.y);
    BIGNUM       *k = BN_new();
    BIGNUM       *yk = BN_new();
    BIGNUM       *c1 = BN_new();
    BIGNUM       *c2 = BN_new();
    BN_CTX       *tmp = BN_CTX_new();

    if (!m || !p || !g || !y || !k || !yk || !c1 || !c2 || !tmp)
        goto err;

    /*
     * generate k
     */
    k_bits = decide_k_bits(BN_num_bits(p));
    if (!BN_rand(k, k_bits, 0, 0))
        goto err;

    /*
     * c1 = g^k c2 = m * y^k
     */
    if (!BN_mod_exp(c1, g, k, p, tmp))
        goto err;
    if (!BN_mod_exp(yk, y, k, p, tmp))
        goto err;
    if (!BN_mod_mul(c2, m, yk, p, tmp))
        goto err;

    /* result */
    *c1_p = bn_to_mpi(c1);
    *c2_p = bn_to_mpi(c2);
    if (*c1_p && *c2_p)
        res = 0;
err:
    if (tmp)
        BN_CTX_free(tmp);
    if (c2)
        BN_clear_free(c2);
    if (c1)
        BN_clear_free(c1);
    if (yk)
        BN_clear_free(yk);
    if (k)
        BN_clear_free(k);
    if (y)
        BN_clear_free(y);
    if (g)
        BN_clear_free(g);
    if (p)
        BN_clear_free(p);
    if (m)
        BN_clear_free(m);
    return res;
}

int
pgp_elgamal_decrypt(PGP_PubKey *pk, PGP_MPI *_c1, PGP_MPI *_c2,
                    PGP_MPI **msg_p)
{
    int            res = PXE_PGP_MATH_FAILED;
    BIGNUM       *c1 = mpi_to_bn(_c1);
    BIGNUM       *c2 = mpi_to_bn(_c2);
    BIGNUM       *p = mpi_to_bn(pk->pub.elg.p);
    BIGNUM       *x = mpi_to_bn(pk->sec.elg.x);
    BIGNUM       *c1x = BN_new();
    BIGNUM       *div = BN_new();
    BIGNUM       *m = BN_new();
    BN_CTX       *tmp = BN_CTX_new();

    if (!c1 || !c2 || !p || !x || !c1x || !div || !m || !tmp)
        goto err;

    /*
     * m = c2 / (c1^x)
     */
    if (!BN_mod_exp(c1x, c1, x, p, tmp))
        goto err;
    if (!BN_mod_inverse(div, c1x, p, tmp))
        goto err;
    if (!BN_mod_mul(m, c2, div, p, tmp))
        goto err;

    /* result */
    *msg_p = bn_to_mpi(m);
    if (*msg_p)
        res = 0;
err:
    if (tmp)
        BN_CTX_free(tmp);
    if (m)
        BN_clear_free(m);
    if (div)
        BN_clear_free(div);
    if (c1x)
        BN_clear_free(c1x);
    if (x)
        BN_clear_free(x);
    if (p)
        BN_clear_free(p);
    if (c2)
        BN_clear_free(c2);
    if (c1)
        BN_clear_free(c1);
    return res;
}

int
pgp_rsa_encrypt(PGP_PubKey *pk, PGP_MPI *_m, PGP_MPI **c_p)
{
    int            res = PXE_PGP_MATH_FAILED;
    BIGNUM       *m = mpi_to_bn(_m);
    BIGNUM       *e = mpi_to_bn(pk->pub.rsa.e);
    BIGNUM       *n = mpi_to_bn(pk->pub.rsa.n);
    BIGNUM       *c = BN_new();
    BN_CTX       *tmp = BN_CTX_new();

    if (!m || !e || !n || !c || !tmp)
        goto err;

    /*
     * c = m ^ e
     */
    if (!BN_mod_exp(c, m, e, n, tmp))
        goto err;

    *c_p = bn_to_mpi(c);
    if (*c_p)
        res = 0;
err:
    if (tmp)
        BN_CTX_free(tmp);
    if (c)
        BN_clear_free(c);
    if (n)
        BN_clear_free(n);
    if (e)
        BN_clear_free(e);
    if (m)
        BN_clear_free(m);
    return res;
}

int
pgp_rsa_decrypt(PGP_PubKey *pk, PGP_MPI *_c, PGP_MPI **m_p)
{
    int            res = PXE_PGP_MATH_FAILED;
    BIGNUM       *c = mpi_to_bn(_c);
    BIGNUM       *d = mpi_to_bn(pk->sec.rsa.d);
    BIGNUM       *n = mpi_to_bn(pk->pub.rsa.n);
    BIGNUM       *m = BN_new();
    BN_CTX       *tmp = BN_CTX_new();

    if (!m || !d || !n || !c || !tmp)
        goto err;

    /*
     * m = c ^ d
     */
    if (!BN_mod_exp(m, c, d, n, tmp))
        goto err;

    *m_p = bn_to_mpi(m);
    if (*m_p)
        res = 0;
err:
    if (tmp)
        BN_CTX_free(tmp);
    if (m)
        BN_clear_free(m);
    if (n)
        BN_clear_free(n);
    if (d)
        BN_clear_free(d);
    if (c)
        BN_clear_free(c);
    return res;
}
